Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, next major update.
Added the following nodes in Windows 10, next major update:
+-
+
- AutomaticRedeployment +
- doAutomaticRedeployment +
- LastError +
- Status +
Added new node (OfflineScan) in Windows 10, next major update.
+-
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 9ffaf7854f..da6abdd0ee 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/30/2018
+ms.date: 01/31/2018
---
# Policy CSP - Browser
@@ -30,6 +30,9 @@ ms.date: 01/30/2018
- Browser/AllowBrowser +
- + Browser/AllowConfigurationUpdateForBooksLibrary +
- Browser/AllowCookies @@ -317,6 +320,64 @@ The following list shows the supported values:
+ +**Browser/AllowConfigurationUpdateForBooksLibrary** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+  4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Library. + + + +The following list shows the supported values: + +- 0 - Disable. Microsoft Edge cannot retrieve a configuration +- 1 - Enable (default). Microsoft Edge can retrieve a configuration for Books Library + + + + + + + + + + + +
+ **Browser/AllowCookies** @@ -2270,6 +2331,62 @@ The following list shows the supported values:
+ +**Browser/UseSharedFolderForBooks** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +This setting specifies whether organizations should use a folder shared across users to store books from the Books Library. + + + +The following list shows the supported values: + +- 0 - No shared folder. +- 1 - Use a shared folder. + + + + + + + + + + +
Footnote: diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md new file mode 100644 index 0000000000..8b0251476c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -0,0 +1,96 @@ +--- +title: Policy CSP - RestrictedGroups +description: Policy CSP - RestrictedGroups +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 01/12/2018 +--- + +# Policy CSP - RestrictedGroups + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
+ + +## RestrictedGroups policies + + + +
+ +**RestrictedGroups/ConfigureGroupMembership** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
|
+ 4 |
+ 4 |
+ 4 |
+ 4 |
+ |
+ |
+
+ + + +This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. + +> [!Note] +> This policy is only scoped to the Administrators group at this time. + +Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. + +> [!Note] +> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. + + + + + + + + + + + + +
+ +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + + diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 96c6d01d65..5f2c4def03 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -7,12 +7,15 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/13/2017 +ms.date: 01/29/2018 --- # RemoteWipe CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. @@ -45,14 +48,27 @@ Supported operation is Exec. **doWipePersistUserData** Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. -## The Remote Wipe Process +**AutomaticRedeployment** +Added in Windows 10, next major update. Node for the Automatic Redeployment operation. +**AutomaticRedeployment/doAutomaticRedeployment** +Added in Windows 10, next major update. Exec on this node triggers Automatic Redeployment operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. -The remote wipe command is sent as an XML provisioning file to the device. Since the RemoteWipe Configuration Service Provider uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. +**AutomaticRedeployment/LastError** +Added in Windows 10, next major update. Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). -In Windows 10 Mobile, the remote wipe command is implemented on the device by using the **ResetPhone** function. On the desktop, the remote wipe triggers the **Reset this PC** functionality with the **Remove everything** option. +**AutomaticRedeployment/Status** +Added in Windows 10, next major update. Status value indicating current state of an Automatic Redeployment operation. -> **Note** On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed. +Supported values: + +- 0: Never run (not started). The default state. +- 1: Complete. +- 10: Reset has been scheduled. +- 20: Reset is scheduled and waiting for a reboot. +- 30: Failed during CSP Execute ("Exec" in SyncML). +- 40: Failed: power requirements not met. +- 50: Failed: reset internals failed during reset attempt. diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index c85f6ef82b..7d411543b5 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 12/05/2017 +ms.date: 01/29/2018 --- # RemoteWipe DDF file @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1709. +The XML below is the DDF for Windows 10, next major update. ``` syntax @@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709.
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
+- Install - Will initiate feature install +- Uninstall - Will initiate feature uninstall + **Audit**Interior node. Supported operation is Get
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index ce324c8cf1..a12a531608 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: jdeckerms -ms.date: 01/26/2018 +ms.date: 01/31/2018 --- # Change history for Configure Windows 10 @@ -26,6 +26,8 @@ New or changed topic | Description [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Added section for removing default apps from the taskbar. [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md) | New topic for Windows 10, version 1709 that explains the purpose for connections to Microsoft services and how to manage them. [Configure Windows Spotlight on the lock screen](windows-spotlight.md) | Added section for resolution of custom lock screen images. +[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added section for automatic sign-in after restart on unmanaged devices. + ## November 2017 diff --git a/windows/configuration/diagnostic-data-viewer-overview.md b/windows/configuration/diagnostic-data-viewer-overview.md index c009c6c0e2..fe1598c59f 100644 --- a/windows/configuration/diagnostic-data-viewer-overview.md +++ b/windows/configuration/diagnostic-data-viewer-overview.md @@ -47,10 +47,8 @@ You must start this app from the **Settings** panel. 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. -  - -f -OR- - + -OR-
+ Go to **Start** and search for _Diagnostic Data Viewer_. 3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. @@ -98,11 +96,8 @@ When you're done reviewing your diagnostic data, you should turn of data viewing You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. **To view your Windows Error Reporting diagnostic data** -1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**. - -- OR - - - Go to **Start** and search for _Problem Reports_. +1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.
-OR-
+ Go to **Start** and search for _Problem Reports_. The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. diff --git a/windows/configuration/images/auto-signin.png b/windows/configuration/images/auto-signin.png new file mode 100644 index 0000000000..260376199e Binary files /dev/null and b/windows/configuration/images/auto-signin.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index c462632c79..e38d95e4ca 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -20,6 +20,7 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | | [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. | +|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.| | [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. | |[Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.| | [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. | diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 7e5d71562c..ea121c6820 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: high -ms.date: 11/26/2018 +ms.date: 01/31/2018 ms.author: jdecker --- @@ -52,6 +52,7 @@ If you don't want to use a provisioning package, you can deploy the configuratio - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 + ## Create XML file Let's start by looking at the basic structure of the XML file. diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index fcbf41202b..0fe1c5b458 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: high -ms.date: 10/16/2017 +ms.date: 01/31/2018 --- # Set up a kiosk on Windows 10 Pro, Enterprise, or Education @@ -37,9 +37,15 @@ To return the device to the regular shell, see [Sign out of assigned access](#si >[!NOTE] >A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. - +## Using a local device as a kiosk +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. +If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + + ## Set up a kiosk using Windows Configuration Designer diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index c5ccc885d1..d306bd8ea5 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -8,6 +8,7 @@ ### [Configure VDA for Subscription Activation](vda-subscription-activation.md) ### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) ## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) +### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md) ## [Deploy Windows 10](deploy.md) diff --git a/windows/deployment/images/downlevel.PNG b/windows/deployment/images/downlevel.PNG new file mode 100644 index 0000000000..dff0ebb02b Binary files /dev/null and b/windows/deployment/images/downlevel.PNG differ diff --git a/windows/deployment/images/event.PNG b/windows/deployment/images/event.PNG new file mode 100644 index 0000000000..3950d795ca Binary files /dev/null and b/windows/deployment/images/event.PNG differ diff --git a/windows/deployment/images/feedback.PNG b/windows/deployment/images/feedback.PNG new file mode 100644 index 0000000000..15e171c4ed Binary files /dev/null and b/windows/deployment/images/feedback.PNG differ diff --git a/windows/deployment/images/firstboot.PNG b/windows/deployment/images/firstboot.PNG new file mode 100644 index 0000000000..dfb798c93c Binary files /dev/null and b/windows/deployment/images/firstboot.PNG differ diff --git a/windows/deployment/images/safeos.PNG b/windows/deployment/images/safeos.PNG new file mode 100644 index 0000000000..88c31087a4 Binary files /dev/null and b/windows/deployment/images/safeos.PNG differ diff --git a/windows/deployment/images/secondboot.PNG b/windows/deployment/images/secondboot.PNG new file mode 100644 index 0000000000..670fdce7b0 Binary files /dev/null and b/windows/deployment/images/secondboot.PNG differ diff --git a/windows/deployment/images/secondboot2.PNG b/windows/deployment/images/secondboot2.PNG new file mode 100644 index 0000000000..0034737e90 Binary files /dev/null and b/windows/deployment/images/secondboot2.PNG differ diff --git a/windows/deployment/images/secondboot3.PNG b/windows/deployment/images/secondboot3.PNG new file mode 100644 index 0000000000..c63ef6939d Binary files /dev/null and b/windows/deployment/images/secondboot3.PNG differ diff --git a/windows/deployment/images/share.jpg b/windows/deployment/images/share.jpg new file mode 100644 index 0000000000..e8365ad34c Binary files /dev/null and b/windows/deployment/images/share.jpg differ diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 9350288947..175f553534 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -24,7 +24,7 @@ Steps are provided in sections that follow the recommended setup process: Device Health has the following requirements: 1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 2. The solution requires that at least the [enhanced level of diagnostic data](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). -3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint: +3. The diagnostic data of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the diagnostic data services](/windows/configuration//configure-windows-diagnostic-data-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on diagnostic data endpoints and summarizes the use of each endpoint: Service | Endpoint --- | --- diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index ead61e2d95..354ad86c3d 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -36,7 +36,7 @@ Update Compliance has the following requirements: 4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Troublehsoot Windows Defender Antivirus reporting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md) topic for help on ensuring the configuration is correct. - For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus. + For endpoints running Windows 10, version 1607 or earlier, [Windows diagnostic data must also be set to **Enhanced**](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level), to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index f705f7b85f..b6260dbd6d 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -28,7 +28,7 @@ ms.date: 10/13/2017 You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] ->For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-diagnostic-data-in-your-organization#configure-the-operating-system-diagnostic-data-level). +>For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index d694f2ff14..6af7a05dfe 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -51,7 +51,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. >[!NOTE] ->Currently, Express update delivery only applies to quality update downloads. +>Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express - **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 858ea4aed7..16de770ebb 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -16,17 +16,19 @@ ms.localizationpriority: high **Applies to** - Windows 10 ->**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) for more information. +>**Important**: This topic contains technical instructions for IT administrators. If you are not an IT administrator, see the following topic: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). ## In this topic This topic contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. The following sections and procedures are provided in this guide: +- [Troubleshooting upgrade errors](#troubleshooting-upgrade-errors): General advice and techniques for troubleshooting Windows 10 upgrade errors.
- [The Windows 10 upgrade process](#the-windows-10-upgrade-process): An explanation of phases used during the upgrade process.
- [Quick fixes](#quick-fixes): Steps you can take to eliminate many Windows upgrade errors.
- [Upgrade error codes](#upgrade-error-codes): The components of an error code are explained. - [Result codes](#result-codes): Information about result codes. - [Extend codes](#extend-codes): Information about extend codes. +- [Windows Error Reporting](#windows-error-reporting): How to use Event Viewer to review details about a Windows 10 upgrade. - [Log files](#log-files): A list and description of log files useful for troubleshooting. - [Log entry structure](#log-entry-structure): The format of a log entry is described. - [Analyze log files](#analyze-log-files): General procedures for log file analysis, and an example. @@ -36,19 +38,61 @@ This topic contains a brief introduction to Windows 10 installation processes, a - [Other result codes](#other-result-codes): Additional causes and mitigation procedures are provided for some result codes. - [Other error codes](#other-error-codes): Additional causes and mitigation procedures are provided for some error codes. +## Troubleshooting upgrade errors + +If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. + +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. + +These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. + +1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. + +2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. + + Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. + + **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. + + If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. + + If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. + +3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. + +4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. + +If the general troubleshooting techniques described above or the [quick fixes](#quick-fixes) detailed below do not resolve your issue, you can attempt to analyze [log files](#log-files) and interpret [upgrade error codes](#upgrade-error-codes). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. + ## The Windows 10 upgrade process -The Windows Setup application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. When performing an operating system upgrade, Windows Setup uses the following phases: +The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. -1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Installation components are gathered. -2. **Safe OS phase**: A recovery partition is configured and updates are installed. An OS rollback is prepared if needed. - - Example error codes: 0x2000C, 0x20017 -3. **First boot phase**: Initial settings are applied. - - Example error codes: 0x30018, 0x3000D -4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. - - Example error: 0x4000D, 0x40017 -5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful. - - Example error: 0x50000 +When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. + +1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. + +  + +2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. + +  + +3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. + +  + +4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. + + At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. + +  + +  + +  + +5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): @@ -58,6 +102,7 @@ DU = Driver/device updates.
OOBE = Out of box experience.
WIM = Windows image (Microsoft) + ## Quick fixes The following steps can resolve many Windows upgrade problems. @@ -92,13 +137,16 @@ The following steps can resolve many Windows upgrade problems. If the upgrade process is not successful, Windows Setup will return two codes: -1. **A result code**: The result code corresponds to a specific Win32 error. -2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. +1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. +2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. >For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned. +>[!TIP] +>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](#windows-error-reporting). + ### Result codes >A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](#resolution-procedures) section later in this topic. @@ -127,7 +175,7 @@ Some result codes are self-explanatory, whereas others are more generic and requ ### Extend codes ->Important: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. +>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: @@ -201,10 +249,50 @@ The following tables provide the corresponding phase and operation for values of For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). +## Windows Error Reporting + +When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell. + +To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: + +``` +$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} +$event = [xml]$events[0].ToXml() +$event.Event.EventData.Data +``` + +To use Event Viewer: +1. Open Event Viewer and navigate to **Windows Logs\Application**. +2. Click **Find**, and then search for **winsetupdiag02**. +3. Double-click the event that is highlighted. + +Note: For legacy operating systems, the Event Name was WinSetupDiag01. + +Ten parameters are listed in the event: +
+
| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
| P3: New OS Architecture (x=default,0=X86,9=AMD64) |
| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
| P5: Result Error Code (Ex: 0xc1900101) |
| P6: Extend Error Code (Ex: 0x20017) |
| P7: Source OS build (Ex: 9600) |
| P8: Source OS branch (not typically available) |
| P9: New OS build (Ex: 16299} |
| P10: New OS branch (Ex: rs3_release} |
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md new file mode 100644 index 0000000000..2118867a21 --- /dev/null +++ b/windows/deployment/upgrade/submit-errors.md @@ -0,0 +1,69 @@ +--- +title: Submit Windows 10 upgrade errors using Feedback Hub +description: Submit Windows 10 upgrade errors for diagnosis using feedback hub +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.date: 02/01/2018 +ms.localizationpriority: high +--- + +# Submit Windows 10 upgrade errors using Feedback Hub + +**Applies to** +- Windows 10 + +## In this topic + +This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. + +## About the Feedback Hub + +The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). + +The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. + +## Submit feedback + +To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) + +The Feedback Hub will open. + +- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. +- Under **Give us more detail**, provide additional information about the failed upgrade, such as: + - When did the failure occur? + - Were there any reboots? + - How many times did the system reboot? + - How did the upgrade fail? + - Were any error codes visible? + - Did the computer fail to a blue screen? + - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? +- Additional details + - What type of security software is installed? + - Is the computer up to date with latest drivers and firmware? + - Are there any external devices connected? +- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. + +You can attach a screenshot or file if desired. This is optional. + +Click **Submit** to send your feedback. + +See the following example: + + + +After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. + +## Link to your feedback + +After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. + + + +## Related topics + +[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) + diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 3e838c9578..fb04dd5bf6 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -263,7 +263,7 @@ The deployment script displays the following exit codes to let you know if it wa \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** -
- What's New? + What's New? |
- Configuration + Configuration |
- Deployment + Deployment |
- Client Management + Client Management |
||||
- |
- |||||||
| + | 
Application Management |
- + | 
Access Protection |
- + | 
Device Security |
- + | 
Threat Protection diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 42ede7cb70..58317c1029 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -254,6 +254,7 @@ #### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md) #### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md) ##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md) +#### [Troubleshoot Exploit protection mitigations](windows-defender-exploit-guard\troubleshoot-exploit-protection-mitigations.md) ### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md) #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md) #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md) diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 71c3fac2d7..387b02dde9 100644 --- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -37,7 +37,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |---|----------------------------| |**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| -|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.| +|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.| | | | diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 926d1d9c7d..1da2319b09 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -118,66 +118,6 @@ Configuration for onboarded machines: diagnostic data reporting frequency | ./De > After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md). -### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher - -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Select **Endpoint management** > **Clients** on the **Navigation pane**. - - b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. - -  - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. - -3. Login to the [Microsoft Azure portal](https://portal.azure.com). - -4. From the Intune blade, choose **Device configuration**. - -  - -5. Under **Manage**, choose **Profiles** and click **Create Profile**. - -  - -6. Type a name, description and choose **Windows 10 and later** as the Platform and **Custom** as the Profile type. - -  - -7. Click **Settings** > **Configure**. - -  - -8. Under Custom OMA-URI Settings, click **Add**. - -  - -9. Enter the following values, then click **OK**. - -  - - - **Name**: Type a name for the setting. - - **Description**: Type a description for the setting. - - **OMA-URI**: _./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding_ - - **Value**: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded. - -10. Save the settings by clicking **OK**. - -11. Click **Create**. - -  - -12. To deploy the Profile, click **Assignments**. - -  - -13. Search for and select the Group you want to apply the Configuration Profile to, then click **Select**. - -  - -14. Click **Save** to finish deploying the Configuration Profile. - -  ### Offboard and monitor endpoints diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md new file mode 100644 index 0000000000..eb71a22518 --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -0,0 +1,217 @@ +--- +title: Deploy Exploit protection mitigations across your organization +keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install +description: Remove unwanted Exploit protection mitigations. +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 01/31/18 +--- + + + +# Troubleshoot Exploit protection mitigations + + +**Applies to:** + +- Windows 10, version 1709 + + + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Windows Defender Security Center app +- PowerShell + + +When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. + +You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead. + +1. Remove all process mitigations with this PowerShell script: + + ```PowerShell + # Check if Admin-Privileges are available + function Test-IsAdmin { + ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + } + + # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key, + # the key is deleted as well + function Remove-ProcessMitigations([Object] $Key, [string] $Name) { + Try { + if ($Key.GetValue("MitigationOptions")) { + Write-Host "Removing MitigationOptions for: " $Name + Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop; + } + if ($Key.GetValue("MitigationAuditOptions")) { + Write-Host "Removing MitigationAuditOptions for: " $Name + Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; + } + + # Remove the FilterFullPath value if there is nothing else + if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) { + Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop; + } + + # If the key is empty now, delete it + if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) { + Write-Host "Removing empty Entry: " $Name + Remove-Item -Path $Key.PSPath -ErrorAction Stop + } + } + Catch { + Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" + } + } + + # Delete all ExploitGuard ProcessMitigations + function Remove-All-ProcessMitigations { + if (!(Test-IsAdmin)) { + throw "ERROR: No Administrator-Privileges detected!"; return + } + + Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { + $MitigationItem = $_; + $MitigationItemName = $MitigationItem.PSChildName + + Try { + Remove-ProcessMitigations $MitigationItem $MitigationItemName + + # "UseFilter" indicate full path filters may be present + if ($MitigationItem.GetValue("UseFilter")) { + Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object { + $FullPathItem = $_ + if ($FullPathItem.GetValue("FilterFullPath")) { + $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath") + Write-Host "Removing FullPathEntry: " $Name + Remove-ProcessMitigations $FullPathItem $Name + } + + # If there are no subkeys now, we can delete the "UseFilter" value + if ($MitigationItem.SubKeyCount -eq 0) { + Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop + } + } + } + if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) { + Write-Host "Removing empty Entry: " $MitigationItemName + Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop + } + } + Catch { + Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" + } + } + } + + # Delete all ExploitGuard System-wide Mitigations + function Remove-All-SystemMitigations { + + if (!(Test-IsAdmin)) { + throw "ERROR: No Administrator-Privileges detected!"; return + } + + $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" + + Try { + if ($Kernel.GetValue("MitigationOptions")) + { Write-Host "Removing System MitigationOptions" + Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop; + } + if ($Kernel.GetValue("MitigationAuditOptions")) + { Write-Host "Removing System MitigationAuditOptions" + Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; + } + } Catch { + Write-Host "ERROR:" $_.Exception.Message "- System" + } + } + + Remove-All-ProcessMitigations + Remove-All-SystemMitigations + ``` + +2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations: + + ```xml + + |